Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
Business-Critical Application Security Will Become Increasingly Essential
By JP Perez-Etchegoyen, CTO and Cofounder of Onapsis
From critical
vulnerabilities to ongoing ransomware attacks, 2022 was yet another
catastrophic year for cybersecurity. However, looking back on the cyber events
that took place this past year can also help us understand how hackers are
evolving their techniques, and what cyber investments organizations need to
start or continue making as a result. Let's take a look at a few of our top
cybersecurity predictions for 2023:
Protecting ERP and business applications will be the fastest-growing
application security category
ERP systems, such as SAP
and Oracle applications, run essential business functions and contain an
organization's most valuable data, from HR information to company financials.
Despite their importance, security teams often lack complete visibility into
their ERP threat landscape and are unable to detect hidden vulnerabilities and
suspicious activity. This has become increasingly dangerous, as attacks against
business-critical applications are quickly accelerating. SAP and Onapsis
recently found evidence of more than 300 successful exploitation
attempts against unsecured SAP applications, pointing to cybercriminals' clear
understanding of ERP applications.
In the coming year,
enterprises will ramp up the deployment of business-critical application
security tools as the number of attacks against these systems continues to grow
exponentially. With the general application security market expected to reach
$22.54 billion by 2028, up from $6.95 billion in 2021, it's evident that
organizations are already recognizing the increasing need to protect their
enterprise crown jewels.
The utilities sector will become increasingly prone to attack
Previous cyberattacks against
critical infrastructure have proven to show the far-reaching, real-world impact
they can cause, from Colonial Pipeline to the recent U.K. water treatment plant ransomware attack.
While there have been significant steps forward to protect utilities
organizations from attacks, such as the Environmental Protection Agency's plan
to secure water systems and several enforced reporting requirements in 2022,
critical cybersecurity gaps remain in the sector.
In 2023, attacks against
utilities will accelerate and organizations that aren't prepared may face far
more destruction than the Colonial Pipeline attack aftermath. This will put
more pressure on the government to increase funding toward smaller utilities
companies that may not have the resources to defend themselves, as well as push
these organizations to develop more robust cybersecurity programs.
Attackers will seek out the next Log4j vulnerability and will likely
become successful
The impact of the Log4j
flaw has been widespread and far-reaching, with countless organizations still
reeling from its massive ripple effect. Log4j has underscored the level of
difficulty in patching vulnerabilities within commonly used libraries, as
almost every vendor within the software supply chain has been responsible for
fixing it. Attackers have become well aware of this and have continued taking
advantage of unpatched Log4j vulnerabilities. Just a few weeks ago, we saw North Korean nation-state
threat actors exploiting Log4shell to hack energy providers and conduct
espionage campaigns.
In 2023, we'll not only
continue to see the breadth of Log4j's exposure increase, but we'll also see
threat actors focusing more on exploiting open-source libraries. To mitigate
the impact of a vulnerability as critical as Log4shell, organizations must
adopt a risk-based vulnerability management program that can help them
prioritize patching the vulnerabilities that are most at-risk.
During a time of economic downturn, organizations will go back to
security basics
Given the current period
of economic uncertainty, organizations will continue cutting their budgets and
putting their dollars into resources that are most critical to their business.
While strengthening their cybersecurity programs will be a priority in the
coming year, organizations will begin rethinking the types of tools they are
investing in. In 2023, we'll see organizations lean more toward fundamental
security technologies to protect their business assets. For instance,
business-critical application security tools, such as vulnerability management
platforms specifically designed for enterprise resource planning (ERP)
applications, will help defend valuable data that enables an organization to
successfully operate.
The exploitation of known vulnerabilities will become a leading attack
vector
While threat actors are
constantly on the hunt for new attack vectors, they tend to pay particularly
close attention to known vulnerabilities, which provide them with an easy entry
point into an enterprise's network. Research by the Onapsis Research Labs, SAP,
and CISA shows that it takes the average organization 97 days to apply a patch, from the time a flaw is
identified to the time a patch has been applied, tested, and deployed. At the
same time, it takes less than 72 hours for cybercriminals to exploit ERP
vulnerabilities after a patch is released.
Next year, we will
continue seeing an increase in exploits against known vulnerabilities,
especially those within web-facing applications, as those tend to be very
lucrative assets for cybercriminals. Organizations must prepare by equipping
themselves with automated vulnerability management tools that can provide them
with complete visibility over their IT ecosystem and help them understand each
vulnerability's level of criticality.
Threat actors will shift away from ransomware and opt for more
discreet methods to monetize
Ransomware has
historically been the primary method of monetizing for threat actors. However,
research has revealed a decrease in
both ransomware attacks and ransomware payments this past year, suggesting that
cybercriminals are evolving their strategies. Rather than blatantly threatening
organizations, threat actors will begin leveraging more discreet techniques to
make a profit. Threat groups like Elephant Beetle have proven that
cybercriminals can enter business-critical applications and remain undetected
for months, even years, while silently siphoning off tens of millions of
dollars.
While ransomware will
still be a prominent cyber threat in the coming year, we will see more
malicious groups directly targeting ERP applications. Organizations must
develop cybersecurity protocols specifically around their business applications
to ensure their most critical resources and valuable data are secure.
Cybersecurity in the Year Ahead
If we've learned anything
about the cybersecurity landscape, it's that it is incredibly unprecedented. As
such, the above are only a few of the many trends we can expect to see in 2023.
One thing is certain - organizations must be prepared for anything that comes
their way.
##
ABOUT
THE AUTHOR
As CTO, JP leads the innovation team that
keeps Onapsis on the cutting edge of the Business-Critical Application Security
market, addressing some of the most complex problems that organizations are
currently facing while managing and securing their ERP landscapes. JP helps
manage the development of new products as well as support the ERP cybersecurity
research efforts that have garnered critical acclaim for the Onapsis Research
Labs.
JP is regularly invited to speak and host
trainings at global industry conferences, including Black Hat, HackInTheBox,
AppSec, Troopers, Oracle OpenWorld and SAP TechEd, and is a founding member of
the Cloud Security Alliance (CSA) Cloud ERP Working Group. Over his
professional career, JP has led many Information Security consultancy projects
for some of the world's biggest companies around the globe in the fields of
penetration and web application testing, vulnerability research, cybersecurity
infosec auditing/standards, vulnerability research and more.